[Solved] Suspended: Luth

[Luth]

Hi.

 

For some reason my hosting plan is suspended. I thought i last used Cpanel just few weeks ago.

I tried the renew script but it says account not found in database or not marked as inactive.

Cpanel reset password option sends an email to me, but the confirmation code does not work. The page just keeps asking for the code over and over.

 

Could you please re-activate my account manually?

 

username: luth

server: johnny

domain: god-irc.com

 

Thank you.

[wolstech]

HE takedown.

We don't usually unsuspend accounts suspended for this reason.

 

The abuse report suggests malware though (it specifically references godirc6_alert.exe as being infected with HackTool.Win32.mIRC.atR). I'll escalate it since malware is something we usually let people clean up.

[wolstech]

This support request is being escalated to our root admin.

[Luth]

Oh thats bummer.

 

The file is a windows software installer so absolutely no harm to server.

The alert is a false positive. I would never upload anything malicious to your server.

 

When i compiled the program i knew two of the included .dll:s (nHTMLn.dll and Moo.dll) might cause false positive result.

So i contacted several antivirus companies and they checked and removed if necessary the .dll from their database definitions.

No idea why it's shown again.

 

I've had the file on your server for 3 years now.

 

Thanks and sorry for the trouble.

[wolstech]

It looks like it contains mIRC, whose components are often abused as a backdoor. At least that's what usually makes something flag for that definition. You might want to host those files on another service like Google Drive and link to them from your site. If you do that, Google will just block access to it and mark it infected if someone complains, instead of your whole site being suspended as it was here.

 

What happened here is that somebody crawling your site flagged it and emailed our provider, who passes it along to us. We have to suspend every issue they ask us to, and most abuse reports we get are for Phishing or Spam anyway.

 

I'm only waiting for a response from Krydos because this one came from our provider as opposed to the normal malware suspensions from the ClamAV on our server (for those, we just ask you to clean up the malware).

[Krydos]

Your account has been unsuspended. Sorry for the inconvenience, but we have to take these reports very seriously. Since we are a free hosting service we tend to unfortunately attract a lot of the undesirables on the internet. When Hurricane Electric sends us a take down request we have to comply quickly otherwise they will (and have) null routed our IP addresses instantly taking down literally tens of thousands of innocent websites. The malware scanner that we use (clamav) shows your account as clean. If you take a look at virustotal: https://www.virustotal.com/en/file/f3be18c5019b692b1540fef32899101928a4656d3e26b8ca97fb93ab2696e903/analysis/1411904511/ you can see that 17/55 scanners flag your file as malicious. Furthermore since the email from Hurricane Electric specifically stated "HackTool.Win32.mIRC.atR" you can know that it was most likely Baidu that caught you so I would recommend contacting them, and maybe the other 16 AV software, to get your file delisted. Wolstech's advice is good. If you host the file elsewhere it will only be a single download that will break rather than your entire website getting taken down should something like this happen again.

[Luth]

Thank you

I will make the appropriate measures by the end of the week, to avoid this thing happening again in the future.